grant select on view

oracle select database-schema grant
Gerben picture Gerben · Jun 19, 2014 · Viewed 88.2k times · Source

somewhere along the way something is going wrong, and I can't seem to find out why. If this is already asked apologies.

I have 3 schema's in my database: COLLDESK LOCAL_IT GERBEN

COLLDESK is our main schema, LOCAL_IT is where we do our local development, and GERBEN is the end user (should only have select options).

Now I have a table in my COLLDESK schema called GESTIONES. In LOCAL_IT I have a view called ACTIONS. This is holding 4 columns from the table GESTIONES in the COLLDESK schema. So far so good!

Now I want to give the GERBEN schema select privileges in the view ACTIONS. But when I say

grant select on LOCAL_IT.ACTIONS to GERBEN

I get the error ORA-01720: grant option does not exist for COLLDESK.GESTIONES

Now I tried giving GERBEN select privileges to GESTIONES, but I am still getting the error message

Any help would be greatly appreciated!

Kind regards

Gerben

Answer

Nicolas de Fontenay picture Nicolas de Fontenay · Mar 21, 2016

The error message should be written like this:

ORA-01720: "grant option" does not exist for COLLDESK.GESTIONES.

Here's how it works:

You have 3 schemas:

  • Schema1 - Holder of a table named "table1"
  • Schema2 - Holder of a view "view1" selecting from schema1.table1
  • Schema3 - User, selecting from schema2.view1 - has no select granted on schema1.table1.

You probably have done the following:

grant select on schema1.table1 (COLLDESK.GESTIONES) to schema2;

Note that since you're creating a view, the select must granted directly to schema2, your view won't work if the select is granted through a role.

Now you are trying to allow a 3rd schema (schema3) to use the view read data from schema1. For security purposes, a schema2 will never be allowed to access data from schema1 to a 3rd schema even if it can view the data. This would be a huge security hole otherwise.

So the solution is to make it explicit that schema2 will be able to grant that select privilege, indirectly, when a 3rd party is granted the select privilege on the view.

Solution:

grant select on schema1.table1 to schema2 with grant option;

Now schema2, is allowed to grant select on its view to 3rd parties:

grant select on schema2.view1 to schema3;

For you:

grant select on COLLDESK.GESTIONED to LOCAL_IT with grant option;
grant select on LOCAL_IT.ACTIONS to GERBEN;

Also: Avoid using public views and public db links unless absolutely necessary. Deplete every other options first.

Related questions

DATEDIFF function in Oracle

I need to use Oracle but DATEDIFF function doesn't work in Oracle DB. How to write the following code in Oracle? I saw some examples using INTERVAL or TRUNC. SELECT DATEDIFF ('2000-01-01','2000-01-02') AS …

Read More
If statement in select (ORACLE)

Hi I have simply select and works great: select 'CARAT Issue Open' issue_comment, i.issue_id, i.issue_status, i.issue_title, i.ISSUE_summary ,i.issue_description, i.severity, gcrs.Area_name, gcrs.sector_name, substr(gcrs.stream_…

Read More
How to use a table type in a SELECT FROM statement?

This question is more or less the same as this In the package header : Declared the following row type: TYPE exch_row IS RECORD( currency_cd VARCHAR2(9), exch_rt_eur NUMBER, exch_rt_usd NUMBER); And this table type: TYPE …

Read More